Are you one of the million people whose biometric data has been exposed?

The biometric data of over 1 million people has been exposed on a publicly accessible database.

15th August 2019

A publicly accessible database owned by Suprema has exposed the biometric data of over one million people. In effect, this included fingerprints, facial recognition information, unencrypted usernames and passwords, and personal information.

28 million records exposed

Over 6,000 organisations utilise the database, including defence contractors, multinational businesses, governments, banks, and the UK Metropolitan police. Suprema provides the biometrics software BioStar 2 in order to help company administrators control access to facilities.

However, Israeli researchers from VPN review service vpnMentor, Noam Rotem and Ran Locar, discovered that the database was particularly vulnerable. In fact, their routine scan found that by manipulating URL search criteria they were able to access nearly 28 million records and 23GB of data.

Highly sensitive data

As their blog post notes, the data leaked in the breach is of a highly sensitive nature and thus lends itself to exploitation. For example, it included access to client admin panels, dashboards, back-end controls, and permissions.

The team was also able to access personal details, including employee home addresses, emails and start dates. In addition to this, they viewed the employee structures and hierarchies of businesses, as well as mobile device and OS information.

Moreover, vpnMentor noted that it was surprising just how unsecured the account passwords were. Within the BioStar 2 database, passwords appeared as plain text files, rather than securely hashed.

How safe is your biometric data?

This particular breach exemplifies the potential for criminals to exploit biometric data, with BioStar 2’s database containing almost every kind of sensitive data available. As a result, the affected organisations and individuals may now face disastrous consequences.

As vpnMentor warns, users cannot change facial recognition and fingerprint information. Once criminals have access to this highly sensitive data, the affected individuals are ultimately helpless when it comes to rectifying the breach.

It is thus incredibly worrying that BioStar 2 stores this information is such an vulnerable manner. Considering the potential value of biometric data, it is likely that cyber criminals will use this information for malicious purposes.

Stealing fingerprints

While using stolen fingerprints is not necessarily a widespread practice as of yet, it has the potential to cause a significant amount of damage. Today, fingerprints are replacing traditional typed passwords on many consumer goods.

Despite the use of biometric data in our mobile phones, most fingerprint scanners on such devices are unencrypted. Using technology that can replicate or steal fingerprints, hackers can access personal messages, photos, and payment methods.

While traditional typed passwords are not entirely secure either, many phones do offer two-way encryption. It thus worth considering whether a convenient way to unlock your device is worth a potential security breach.